It’s hard to imagine a time when cyber security wasn’t an almost daily fixture in headlines. With news about the
“It’s not new for companies to get breached,” says Ted Schlein, general partner at Kleiner Perkins Caufield & Byers (KPCB) and founder/CEO of security company Fortify Software, now owned by HP. “It might be news to most of the public, but really, companies have been getting breached for decades.”
What is new, however, is how often breaches happen and how much they get publicized, and the result has been a major (and some say, much needed) paradigm shift.
“Until now, most of cyber security had been about finding what is bad. It was all about the antivirus,” says Schlein. “That led to a preventative point-of-view, which said, If I can protect my networks, then I’m safe.”
But as the rash of attacks against Target and other top retailers has shown, that prevention-first security strategy, known as “the M&M theory,” was not so secure. And with one of the most famed antivirus makers themselves now declaring the death of the antivirus, to say the prevention approach has failed seems to hit the nail on the head—and into the coffin.
“For the last dozen years or so, I’ve talked about building security from the inside out. That means hardening the actual assets people are after before you go about trying to secure your perimeter,” says Schlein. “I think people are starting to get that.”
While no one suggests abandoning antivirus software completely, cyber security today is a much more complicated game of detection, deflection, and data protection. Although much easier said than done, the search beyond prevention-focused solutions has opened plenty of doors for the private sector, and startups are running through.
But when threats range from global espionage to terrorists, hackers, bots, and even your thermostat, what’s there for a little startup to do?
As it turns out, a whole lot.
Fighting Fire With Fire, Without A Firewall
Since last year’s holiday season breach compromised at least 40 million customer credit cards, every company has feared getting hung out to dry on a headline. And with the firing of ex-Target CEO Gregg Steinhafel, no CEO wants to be in that position, either.
“The Target firing was a watershed moment,” says Schlein. “Now, boards are asking their CEOs, How secure are we?, because the board isn’t really outfitted to answer. And the CEOs are asking the CIOs, and the CIOs are asking the CISOs, and the CISOs might mumble something.”
But at least one startup, Shape Security, has an answer: Not very.
“When dealing with threats on a network, website, or any part of your infrastructure, you’re not just dealing with individuals with limited resources,” says Shuman Ghosemajumder, vice president of strategy at Shape Security. “You’re dealing with an entire ecosystem of highly specialized organizations that can get around every single security technology made up to this point.”
For decades, traditional cyber security worked by identifying types of attacks and then developing tools, like the firewall, to block and detect them. Then in 2010, two seasoned security executives (one an ex-Googler and the other an entrepreneur) met at the Pentagon, while working with the Department of Defense. Together with third cyber security veteran, Justin Call, they found another way, and founded Shape.
“Rather than try to keep up with all the permutations made possible by these sophisticated attacks, we’re putting the onus of the work on the criminals,” says Ghosemajumder. “We’re applying polymorphism ourselves, so the adversaries have to keep up with us instead of the other way around.”
Normally when developers code a web application, that code is static. As a result, automated attackers (including malware and bots) can exploit the code to locate username and password fields on a website, and then create a script to steal the information undetected.
With Shape Security’s botwall in place, however, a bot will try to grab those fields from a site code and find that the code constantly changes.
“If you create sufficient complexity,” says Ghosemajumder, “it becomes an almost impossible problem to solve.”
While many organizations have made it a point not to become “the next Target,” Ghosemajumder assures that you no longer have to be a unique target to become a victim.
“Criminals are using automation to identify any site for opportunity. There doesn’t have to be anything special about your organization,” he says. “This applies to anyone who has a website.”
It stands to reason that as attacks get more sophisticated, our first wall of defense should do more than stop fire. It should also shift shape.
Castles In The Cloud
However clever and effective Shape’s technology, Ghosemajumder makes clear that the ShapeShifter product is no silver bullet. While Shape helps secure web applications from unauthorized automated attacks, it cannot protect your data, for example, while you’re interacting with a web app.
One area it also doesn’t touch is the cloud.
“As we start to aggregate systems and all our data in the cloud, it retains a lot of interesting, potential threats,” says Schlein. “All that information gets stored in one place, on one system. So now the bad guys know exactly where to go.”
But with more devices generating more data, and more networks connecting to more data centers, the solution isn’t as easy as relocating all that data into hardware. It’s not exactly feasible to fence in a cloud, either.
What we need, says Adam Ghetti, founder and chief technology officer of Ionic Security, is another solution.
“Over the last few years, security models in the enterprise were focused on building perimeters, on keeping data all in one place,” he says. “Now, in the cloud, data is in so many places and getting constantly acted upon. There is no perimeter.”
Launched in 2012 as Social Fortress, Ionic is still in relative stealth mode. But its goals and approach to securing data in the cloud are transparent.
“We exist because control over data security and privacy is currently with infrastructure and network operators—people who don’t make the data,” says Ghetti. “Ionic exists to invert that model and put the control of data back in the hands of those who make it.”
While original security tools were built to protect devices like apps and servers, Ionic aims to secure what really needs protecting - data - especially now that it’s in a cloud.
Rather than try to erect walls around a highly distributed architecture, or secure multiple access points (your iPhone, iPad, laptop, etc.) behind a gate, Ionic is securing the data itself in a single-step process at the point of its creation, so it doesn’t matter where the data ends up or how it’s accessed. It’ll always be safe.
The hardest part about securing data, Schlein argues, is encrypting it with no impact on the everyday enterprise cloud user. That means locking up the data while keeping the cloud’s main advantage free: its easy access to data and ease of sharing.
“The world looks different today than it did even just five years ago,” says Ghetti. “We believe users should never have to sacrifice functionality for privacy. There shouldn’t have to be a compromise in using the device you want on the network you want.”
While the notion of securing the cloud might be akin to building castles in the air, companies like Ionic are developing alternatives to old security models, so we can continue using new solutions.
Brawn And Brains
Even with Shape’s polymorphic technology deflecting malware and bots from your infrastructure, and Ionic forging armor for your data in the cloud, developing a long-term cyber security solution requires more than just brawn. It also needs brains.
Synack, started just last year, works under the premise that organizations have been ill-equipped to deal with growing security issues. But they don’t have to go it alone.
“We felt that if you put the right people together in a room, and they’re motivated, you’ll probably be successful at whatever you’re trying to accomplish,” says Jay Kaplan, co-founding CEO of Synack and former NSA official. “So we took the model of the bug bounty and expanded it.”
Taking the approach of crowd sourced intelligence, Synack assembles a global community of security researchers on one unified, subscription-based platform, which it playfully calls “Security-as-a-Service.”
With incentives ranging from dollars to prizes for top performers, Synack puts its crowd of researchers on a testing platform and lets them do their worst on a client’s code. Then, with the results compiled in a single report, Synack rates the client’s vulnerability and offers suggestions on remediation.
Later, they do it all again.
“Because the security threat is so vast and complicated, and because bad agents are so well-funded, I don’t think global two thousand companies are going to be able to hire all the talent they need to test their security, or do it on an ongoing basis,” says Schlein.
While it makes logistical sense to outsource that talent, Kaplan notes that sharing security intelligence is not often an organization’s first instinct. But more than just provide extra hands, an expanded and diversified pool of information also beefs up security in the long run.
“No one usually hears crowd sourced and security in the same sentence,” admits Kaplan. “But even those companies that spend a fortune to hire security teams realize that hackers come from different backgrounds and experiences, and that their security will be more successful if they hit the full gamut of techniques.”
As more data moves to the cloud, software seems to be in a constant state of development, which makes continuous testing for vulnerabilities essential if you want your software to be secure. The way that software is developed today, explains Schlein, changes are made almost every night, meaning that software is consistently vulnerable.
“By crowd sourcing, you’re getting the best of the best focused on your company, and you’re doing it in a scalable manner,” he says. “So now you or your CEO can answer that question, How secure are we?”
Even as Synack puts careful emphasis on vetting all of its researchers, Kaplan recognizes why some enterprise companies might hesitate before they willingly expose their code to test hacks.
But along with the diversity and scalability provided by its research community, Synack is offering an element that many might underestimate: a human touch.
“While automation will get better, and lots of innovative companies continue to make head way, there will always be a gap between what products can accomplish in security and what humans can find in a susceptible code,” says Kaplan.
As necessary as automated security technology still is, behind every cyber attack there’s a human. And to catch a criminal, sometimes you have to think like one.
Looking Ahead
Though the battle for cyber security may be continuous, with a new threat sprouting after each new counter measure, none of the security experts we spoke with were eager to paint a doomsday scenario.
“Ultimately, if you were truly paranoid, you would take everyone off the Internet,” says Schlein.
But as the stakes have gotten higher, even as more billions of dollars than ever are spent on solutions, there is a strong case for changing our approach to cyber security. The first step is acceptance.
“Until enterprises and consumers accept that old models aren’t working, they’ll stay behind the curve,” says Ghetti. “The sooner you accept it, the sooner you’ll get ahead.”
Whether it’s through shape-shifting botwalls, data encryption, crowd sourced intelligence, or a combination of all three, many would agree that the strongest defense we have against cyber threats today is innovation.
Luckily, there is an entire industry devoted to just that.
Follow us on
